Plundervolt comes from researchers at the University of Birmingham in the U.K., Graz University of Technology in Austria and KU Leuven in Belgium. They told Intel of the issue in June. Other researchers, however, were right behind them.

Intel's advisory says it was advised of the same findings in August by a team from Technische Universität Darmstadt and the University of California and from a separate team at the University of Maryland and Tsinghua University.

Affects Skylake CPUs

Plundervolt is an attack against Intel's Software Guard Extensions, which was introduced in 2013. SGX creates safe places in memory, called enclaves, where code can't be either disclosed or modified even if an attacker has kernel-level access.

SGX enclaves are used, for example, to calculate encryption keys and store data. The researchers found, however, by tampering with the voltage, the calculations within the enclave could be corrupted in a predictable way and in other situations leak data.

"In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code," they write in a research paper, which was published by The Register.

They say all SGX-enabled Intel Core processors from the Skylake family onward are vulnerable.

Modern CPUs adjust their power usage depending on computational loads and rarely run at maximum speed. The Plundervolt attack pivots on an attacker being able to access the privileged dynamic voltage interfaces in order to modify the power supplied. They're the same interfaces gamers use to overclock processors. But access to those interfaces does mean an attacker needs to have kernel-level access already.

"Using this interface to very briefly decrease the CPU voltage during a computation in a victim SGX enclave, we show that a privileged adversary is able to inject faults into protected enclave computations," according to the researchers' paper. "Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX's memory integrity protection fails to defend against our attacks. To the best of our knowledge, we are the first to practically showcase an attack that directly breaches SGX's integrity guarantees."

'Undervolting'

Such an attack has varying effects. In this video, the researchers show how "undervolting" can cause critical data to be written outside of the secure enclave in untrusted memory rather than within:

It's also possible to create errors. Processors will do correct calculations, but only if they're run within the proper power specifications. Dropping the power can cause calculation mistakes, as demonstrated in this video:

In another video, the researchers show how it's possible to recover AES keys after intentionally causing calculation errors through undervolting. In their paper, they also write it's possible to recover RSA keys from implementations running in SGX.

Intel's Fix

The researchers provided an analysis for Intel's fix, which they recommended to the company. But they warned it doesn't get rid of the underlying problem.

Intel's fix includes a BIOS patch that disables the interface that allows for adjusting the voltage for actions such as overclocking. But the researchers warned that "other yet undiscovered avenues for fault injection through power and clock management features might exist (and would have to be disabled in a similar manner)."

Even if the software interfaces are sealed off, there's still a potential for a hardware-based attack, they write.

"Especially disturbing in this respect is that the SerialVID bus between the CPU and voltage regulator appear to be unauthenticated," the paper says. "Hence adversaries might be able to physically connect to this bus and overwrite the requested voltage directly at the hardware level."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;